This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Message schema

1 - Overview

When processing incoming data, AxoRouter automatically converts everything to its internal message model, and maps the contents of the model to the specific destinations as needed. The internal message model of AxoRouter is based on the OpenTelemetry Log Data Model, so what is sent to the destination is determined by the log section of the model (the main payload is log.body).

The meta section contains all the information and metadata AxoRouter has about the message: what was its source, how it was received, where it will be forwarded, how was it classified, and so on. You can use these metadata for example:

The related metrics of these data can be used:

When AxoRouter sends the message to its destination, parts of these metadata is automatically mapped into the relevant log field, but most of it (for example, labels) isn’t send to the destination by default.

For most destinations, there are specific fields that allow you to configure specific values that are sent to the destination, or to override the log.body field completely.

The message model has the following main elements:

  • log: The log data structure describes the log record.
  • meta: Metadata about a specific message record, for example, a log message.
  • resource: The resource data structure describes the resource that generated the log record.
  • scope: The scope data structure describes the Log Scope.

2 - Message schema reference

Log (object)

log

The log data structure describes a log record.

Log Attributes (object)

log > attributes

Additional attributes that describe the specific event occurrence. Every attribute key must be unique.

Log Body (string)

log > body

The body of the log record, which can contain strings and structured data composed of arrays and maps of other values.

Event date (observed) (number)

log > observed_time_unix_nano

Time when the event was observed by the data pipeline, in UNIX Epoch time (nanoseconds elapsed since 00:00:00 UTC on 1 January 1970). A value of 0 indicates unknown or missing timestamp.

  • For events that originate in OpenTelemetry, this timestamp is typically set at the generation time and is equal to time_unix_nano.
  • For events originating externally and collected by an Axoflow agent or an AxoRouter, this is the time when the Axoflow pipeline observed the event.

Log Severity Number (number)

log > severity_number

Numerical value of the severity, normalized to values described in Log Data Model.

Log Severity Text (string)

log > severity_text

The severity as a string (log level). The original string representation as described at the source. For the numerical to string mapping, see log.severity_number.

Event date (number)

log > time_unix_nano

The time when the event occurred in UNIX Epoch time (nanoseconds elapsed since 00:00:00 UTC on 1 January 1970). A value of 0 indicates unknown or missing timestamp.

Metadata (object)

meta

Metadata about a specific message record, for example, a log message.

Classified (object)

meta > classified

The value of vendor, product, service name and other metadata set during classification.

Classified Product (string)

meta > classified > product

The product name of the source that generated the message, as determined by the classification.

Classified Service Metadata (object)

meta > classified > service

The name of the service that generated the message, as determined by the classification.
Classified Service Name (string)
meta > classified > service > name

Classified service Name for appliance.

Splunk metadata (object)

meta > classified > splunk

Splunk metadata extracted during classification.
Host (string)
meta > classified > splunk > host

The name of the host as sent to Splunk. Usually, this is the hostname of the source where the data originated from.
Splunk Index (string)
meta > classified > splunk > index

The name of the Splunk index where the message is sent. The index must exist in Splunk, otherwise sending the data will fail.
Splunk Source (string)
meta > classified > splunk > source

The source field sent to Splunk, containing where the event originated. For example, the protocol and port for network-based sources, or the path and filename for log files.
Splunk Sourcetype (string)
meta > classified > splunk > sourcetype

The Splunk sourcetype value that corresponds to the appliance, application, or service that generated the data.

Classified Vendor (string)

meta > classified > vendor

The name of the vendor of the source that generated the message, as determined by the classification.

Connection (object)

meta > connection

Information about the network connection that transmitted the message.

Destination IP address (string)

meta > connection > dest_ip

IP address where the message was sent to according to the IP header.

Related metric label: dest_ip

Destination port (number)

meta > connection > dest_port

TCP or UDP port number where the message was sent to according to the transport header.

Related metric label: dest_port

IP protocol (number)

meta > connection > ip_protocol

Network protocol version used for receiving this message.

Possible values: 4, 6

Related metric label: ip_protocol

Protocol (string)

meta > connection > protocol

Transport protocol used for receiving this message.

Possible values: TCP, UDP

Related metric label: protocol

Source IP address (string)

meta > connection > src_ip

IP address that sent the message according to the IP header.

Related metric label: src_ip

Transport (string)

meta > connection > transport

The transport mechanism used to retrieve or receive the message.

Example: rfc3164+tls

Related metric label: transport

Connector (object)

meta > connector

Information about the Connector that received the log. See the “attributes” column on the Connectors page for details.

Labels (object)

meta > connector > labels

Labels set on the connector that received the message.

Prefix of related metric labels: connector_label_*

Name (string)

meta > connector > name

The name of the connector that received the log.

Example: myrouter-otlp

Related metric label: connector_name

Syslog Connector Related Metadata (object)

meta > connector > syslog

Parameters for processing the message from a Syslog source.
Splunk Log Type (string)
meta > connector > syslog > splunk_log_type

The type of the payload received from Splunk HF.

Possible values: syslog, plaintext

Type (string)

meta > connector > type

The type of the connector that received the message.

Possible values: otlp, soup, syslog, webhook, windowsEvents

Example: otlp

Related metric label: connector_type

Destination Connector (object)

meta > destination

Information about the Destination Connector.

Clickhouse Metadata (object)

meta > destination > clickhouse

Parameters for sending the message to a Clickhouse destination.

Prefix of related metric labels: clickhouse_*

Clickhouse Raw Body (boolean)
meta > destination > clickhouse > body_raw

Override the option to send raw body to the Clickhouse destination. (default: false)
Clickhouse Raw Meta (boolean)
meta > destination > clickhouse > meta_raw

Override the option to send raw metadata to the Clickhouse destination. (default: true)

Elasticsearch Metadata (object)

meta > destination > elasticsearch

Parameters for sending the message to an Elasticsearch destination.

Prefix of related metric labels: elasticsearch_*

Elasticsearch Fields (object)
meta > destination > elasticsearch > fields

Fields to send to Elasticsearch. This overrides the default fields set by the destination connector.
Elasticsearch Index (string)
meta > destination > elasticsearch > index

The Elasticsearch index to send the message to.
Elasticsearch Message (string)
meta > destination > elasticsearch > message

Override the message to send to Elasticsearch. When set, log.body is ignored.
Elasticsearch Timestamp (string)
meta > destination > elasticsearch > timestamp

Override the timestamp to send to Elasticsearch. When set, log.time_unix_nano is ignored.

Google SecOps Metadata (object)

meta > destination > google_secops

Parameters for sending the message to a Google SecOps destination.

Prefix of related metric labels: googlesecops_*

Google SecOps Customer ID (string)
meta > destination > google_secops > customer_id

This overrides the default customer ID configured in the destination connector.
Google SecOps Log Text (string)
meta > destination > google_secops > log_text

The text of the message to send to Google SecOps. When set, log.body is ignored.
Google SecOps Log Type (string)
meta > destination > google_secops > log_type

This overrides the default log type configured in the destination connector.
Google SecOps Namespace (string)
meta > destination > google_secops > namespace

This overrides the default namespace configured in the destination connector.
Google SecOps Timestamp (string)
meta > destination > google_secops > ts_rfc3339

The timestamp of the message in RFC3339 format. When set, log.time_unix_nano is ignored.

Labels (object)

meta > destination > labels

Labels set on the connector.

Name (string)

meta > destination > name

Name of the destination where AxoRouter sent the message.

Example: myrouter-splunk

Related metric label: destination_name

OpenObserve Metadata (object)

meta > destination > openobserve

Parameters for sending the message to an OpenObserve destination.

Prefix of related metric labels: openobserve_*

OpenObserve Fields (object)
meta > destination > openobserve > fields

Fields to send to OpenObserve. This overrides the default fields set by the destination connector.
OpenObserve Message (string)
meta > destination > openobserve > message

Override the message to send to OpenObserve. When set, log.body is ignored.
OpenObserve Organization (string)
meta > destination > openobserve > organization

The OpenObserve organization to send the message to.
OpenObserve Stream (string)
meta > destination > openobserve > stream

The OpenObserve stream to send the message to.
OpenObserve Timestamp (string)
meta > destination > openobserve > timestamp

Override the timestamp to send to OpenObserve. When set, log.time_unix_nano is ignored.

Google Pub/Sub Metadata (object)

meta > destination > pubsub

Parameters for sending the message to a Google PubSub destination.

Prefix of related metric labels: pubsub_*

Google Pub/Sub Attributes (object)
meta > destination > pubsub > attributes

Override the attributes key-value pairs for the Pub/Sub Event.
Google Pub/Sub Data (string)
meta > destination > pubsub > data

Override the data to send to Google Pub/Sub. When set, log.body is ignored.
Google Pub/Sub Project (string)
meta > destination > pubsub > project

The ID of the Google Cloud project where the data is sent.
Google Pub/Sub Topic (string)
meta > destination > pubsub > topic

The name of the Google Pub/Sub topic to send the data to.

S3 Metadata (object)

meta > destination > s3

Parameters for sending the message to a S3 destination.
S3 Record (string)
meta > destination > s3 > record

Override the message sent to S3. When set, log.body is ignored.

Security Lake Metadata (object)

meta > destination > security_lake

Parameters for sending the message to a Security Lake destination.
Security Lake Message (string)
meta > destination > security_lake > message

Override the message sent to Security Lake. When set, log.body is ignored.

Splunk metadata (object)

meta > destination > splunk

Parameters for sending the message to a Splunk destination.

Prefix of related metric labels: splunk_*

Event (string)
meta > destination > splunk > event

The raw event sent to Splunk. Overrides log.body and avoids automatic formatting completely.
Splunk Fields (object)
meta > destination > splunk > fields

Fields to send to Splunk. This overrides the default fields set by the destination connector.
Host (string)
meta > destination > splunk > host

The name of the host as sent to Splunk. Usually, this is the hostname of the source where the data originated from.
Splunk Index (string)
meta > destination > splunk > index

The name of the Splunk index where the message is sent. The index must exist in Splunk, otherwise sending the data will fail.
Splunk Source (string)
meta > destination > splunk > source

The source field sent to Splunk, containing where the event originated. For example, the protocol and port for network-based sources, or the path and filename for log files.
Splunk Sourcetype (string)
meta > destination > splunk > sourcetype

The Splunk sourcetype value that corresponds to appliance, application, or service that generated the data.
Splunk Time (string)
meta > destination > splunk > time

Override the time sent to Splunk. When set, log.time_unix_nano is ignored.

Sumo Logic Metadata (object)

meta > destination > sumologic

Parameters for sending the message to a Sumo Logic destination.
Sumo Logic Fields (object)
meta > destination > sumologic > fields

Fields to send to Sumo Logic. This overrides the default fields set by the destination connector.
Sumo Logic Message (string)
meta > destination > sumologic > message

Override the message sent to Sumo Logic. When set, log.body is ignored.
Sumo Logic Source Category (string)
meta > destination > sumologic > source_category

Override the source category configured in the destination connector.
Sumo Logic Source Name (string)
meta > destination > sumologic > source_name

Override the source name configured in the destination connector.

Syslog metadata (object)

meta > destination > syslog

Parameters for sending the message to a Syslog destination.
Syslog Message (string)
meta > destination > syslog > message

Override the message sent to Syslog. When set, log.body is ignored.

Type (string)

meta > destination > type

Type of the destination, for example, splunkHEC.

Possible values: azuremonitor, elasticsearch, openObserve, router, opentelemetry, pubsub, s3, splunkHEC, googleSecOps, sumologic

Example: splunkHEC

Related metric label: destination_type

Envelope (object)

meta > envelope

Application metadata parsed from the envelope.

Envelope Extracted Service metadata (object)

meta > envelope > service

Envelope Extracted service info about appliances.
Envelope Extracted Service Name (string)
meta > envelope > service > name

Envelope Extracted Service Name for appliance.

Splunk metadata extracted from the message envelope (object)

meta > envelope > splunk

Splunk metadata received from a Heavy Forwarder in the Axoflow envelope.
Host (string)
meta > envelope > splunk > host

The name of the host as received from Splunk. Usually, this is the hostname of the source where the data originated from.
Splunk Index (string)
meta > envelope > splunk > index

The name of the Splunk index where the message is received from.
Splunk Source (string)
meta > envelope > splunk > source

The source field received from Splunk, containing where the event originated. For example, the protocol and port for network-based sources, or the path and filename for log files.
Splunk Sourcetype (string)
meta > envelope > splunk > sourcetype

The Splunk sourcetype value that corresponds to appliance, application, or service that generated the data.

Message envelope type (string)

meta > envelope > type

Type of the message envelope as detected by AxoRouter.

Flow name (string)

meta > flow

Name of the flow processing the message.

Related metric label: flow

Host (object)

meta > host

Information about the host that sent the message.

Source Host Labels (object)

meta > host > labels

The labels set in the inventory for the host the message originates from. Note that if the host is sending data to an AxoRouter connector that doesn’t perform automatic classification, then changing the product and vendor labels can affect the final metadata in the destination, for example, the sourcetype assigned to the data in Splunk.

Prefix of related metric labels: host_label_*

Source Host Name (string)

meta > host > name

The name of the host the message originates from (based on the inventory).

Related metric label: host_name

Host Candidate (object)

meta > host_candidate

Device ID (string)

meta > host_candidate > id

Device ID found in the message.

Related metric label: host_candidate_id

IP Address (string)

meta > host_candidate > ip

IP address found in the message.

Related metric label: host_candidate_ip

Host Name of the Last Hop (string)

meta > host_candidate > last_hop_name

Host field found in the message’s envelope (which can be either the subject of the message, or the name of the host that forwarded it).

Related metric label: host_candidate_last_hop_name

Host Name (string)

meta > host_candidate > name

Host name found in the message.

Related metric label: host_candidate_name

Kubernetes (object)

meta > kubernetes

Kubernetes metadata received from the collector.

Container Name (string)

meta > kubernetes > container

Kubernetes container name found in the message metadata.

Related metric label: kubernetes_container

Namespace (string)

meta > kubernetes > namespace

Name of the Kubernetes namespace found in the message metadata.

Related metric label: kubernetes_namespace

Product (string)

meta > product

The product name of the appliance, application, or service that generated the message.

Related metric label: product

Router (object)

meta > router

The name and labels of the AxoRouter instance that processed the message.

Labels (object)

meta > router > labels

Labels of the AxoRouter instance that processed the message.

Prefix of related metric labels: axo_host_label_*

Router Name (string)

meta > router > name

The name of the AxoRouter instance that processed the message.

Related metric label: axo_host_name

Service metadata (object)

meta > service

Information about the service that generated the message.

Service Name (string)

meta > service > name

Name of the service that generated the message. For syslog messages, that’s usually the value of the PROGRAM field.

Related metric label: service

Vendor (string)

meta > vendor

The vendor of the appliance, application, or service that generated the message.

Related metric label: vendor

Resource (object)

resource

The resource data structure describes the resource that generated the log record.

Resource Attributes (object)

resource > attributes

Attributes that describe the resource. Every attribute key must be unique.

Scope (object)

scope

Log Scope representation

Scope Attributes (object)

scope > attributes

Attributes that describe the log scope. Every attribute key must be unique.

Name (string)

scope > name

Name of the log scope

Version (string)

scope > version

Version of the log scope